Updated, corrected to clarify that EE is not using Imperva’s WAF product. (The company cites the mobile carrier as an early WAF adopter and user of another, unaffected product).
Cloud security specialist Imperva says its Cloud Web Application Firewall (WAF) product has been hacked, with a “subset” of customers’ API keys and SSL certificates stolen in the attack which was discovered on August 20.
The Redwood Shores, California-based firm – which was bought by private equity giant Thoma Bravo for for $2.1 billion in October 2018 – says the breach was disclosed to it by a third-party. The company has yet to reveal details of that disclosure.
Imperva’s WAF was previously known as Incapsula. The company describes it as “a key component of Imperva’s market-leading, full stack application security solution which brings defense-in-depth to a new level.”
CEO Chris Hylen wrote: “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”
Imperva Hacked: “Profoundly Regrets” Incident
Rich Mogull, founder of cloud security firm DisruptOps told Brian Krebs that stolen customer API keys and SSL certificates could, in a worst case scenario, allow an attacker “to intercept, view or modify traffic destined for an Incapsula client web site, and even to divert all traffic for that site to or through a site owned by the attacker.”
He added: They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up their with their worst nightmare.”
Does anyone have real insight into what functionality the #imperva API offers? Can one create or change configs? Could one create a reverse proxy or NAT rule? Documentation seems scant…
— Charl van der Walt 🌻 (@charlvdwalt) August 27, 2019
SensePost founder Charl van der Walt told Computer Business Review: “Conceptually, the attacker gets all the functionality the API keys offer, which might be as much as being logged in to the UI. I can’t see at a glance what their API might offer, and no one else seems to know either. The comments I’ve seen are suggesting ‘not much’.
He added: “Abusing SSL keys requires some kind of Hacker In the Middle scenario, which is scary, but much less scalable.”
Imperva’s CEO told customers: “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”
Imperva has “implemented forced password rotations and 90-day expirations in our Cloud WAF product” he wrote today. (Critics may note that this is shutting the stable door after the horse has bolted and given the prevalence of credential stuffing/password re-use, may have been wise to implement earlier…)
See also: An Idiot’s Guide to Dealing with Hackers
The company says it is encouraging customers to:
- Change user account passwords for Cloud WAF (https://my.incapsula.com)
- Implement Single Sign-On (SSO)
- Enable two-factor authentication
- Generate and upload new SSL certificate
- Reset API keys
CEO Chris Hylen added: “We profoundly regret that this incident occurred and will continue to share updates going forward.”
Computer Business Review has contacted the company with a number of further questions. The incident is the latest data breach involving a cybersecurity company. Earlier this year Trend Micro admitted it had also suffered a data breach following a widely publicised incident.